-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
November 11, 2002 Vol. 1. No. 16
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.
***********************************************************************

TABLE OF CONTENTS:

Widely Distributed Products
- ---------------------------
(1) CRITICAL: Cisco ONS Optical Transport Platform Multiple
    Vulnerabilities
(2) HIGH: Oracle iSQL*Plus Username Buffer Overflow
(3) MODERATE: NetScreen SSH Denial of Service Vulnerability

Other Products
- --------------
(4) LOW: Log2Mail Log Message Handling Buffer Overflow
(5) LOW: Pablo FTP Server Format String Vulnerabilities

************* Sponsored by SANS San Francisco Conference **************

Eight of SANS top-rated faculty members will be teaching SANS most
popular courses in San Francisco, December 15-20. SANS has conducted
a multi-year competition to identify the best instructors in each
subject area. Last year more than 100 people tried out - fewer
than five made the grade. Come to SANS if you are serious about
mastering security and you want to learn from the best teachers in
the world. And, if you seek to earn CISSP certification as well as
GIAC certifications, this is the only place you can get training.
Details: http://www.sans.org/CDI02/index2.php

***********************************************************************

*******************************
   Widely Deployed Software
*******************************

(1) CRITICAL: Cisco ONS Optical Transport Platform Multiple
    Vulnerabilities

Affected Products:
Cisco ONS 15454 Optical Transport Platform
Cisco ONS 15327 Edge Optical Transport Platform
All Cisco ONS software releases prior to 3.4 are vulnerable.

Description:
The Cisco ONS software has been found to contain multiple
Vulnerabilities; the most significant are listed below:
   o Remote FTP logins are allowed with any invalid username/password
   o SNMP community string is hard coded as 'public'
   o Malicious HTTP requests cause the device to reset
   o Hard coded back-door username/password allows telnet access to
       underlying VxWorks operating system

Risk: Remote exploit.
A remote attacker can gain complete control over the Cisco ONS
platform.

Deployment: Significant.
According to Cisco, the ONS 15454 is the industry's leading SONET
Multiservice Platform with 30,000 systems deployed worldwide.

Ease of Exploitation: Trivial.
An attacker who knows the hard coded username/password can gain access
via telnet, any attacker can gain FTP access to the system and upload
configuration files or delete software images. These are just a
few examples.

Status: Vendor confirmed, fixed software available.

References:
- --------------
Cisco Security Advisory:
http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml

Cisco ONS 15454 Documentation:
http://www.cisco.com/univercd/cc/td/doc/pcat/15454.htm

ISS Security Advisory:
http://www.iss.net/security_center/static/10510.php

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6073
http://online.securityfocus.com/bid/6083

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

Due to the critical nature of this problem, several of the council
sites chose to double-check with the appropriate support groups to
verify that the products were not in use.

************************************************************

(2) HIGH: Oracle iSQL*Plus Username Buffer Overflow

Affected Products:
iSQL*Plus in Oracle9i Database
   o Release 1, Release 9.0.x (all releases)
   o Release 2, Releases 9.2.0.1 and 9.2.0.2

Description:
Oracle iSQL*Plus allows authenticated users to execute database queries
via a web-based interface. The web software contains a buffer overflow
vulnerability that can be triggered by submitting a large userID
during the login process. Remote attackers can exploit the flaw to
execute arbitrary code with the privileges of the web server process
(SYSTEM on Windows).

Risk: Remote exploit.
Remote attacker-supplied code execution with the privileges of the
server process, typically 'SYSTEM' on Windows platforms and 'oracle'
on other platforms.

Deployment: Significant.
Simply searching Google for "iSQL*Plus" reveals a number of potential
victim sites exposing login pages to the Internet.

Ease of Exploitation: Unknown.
This is a classic stack-based buffer overflow vulnerability.

Status: Vendor confirmed, patch available.

References:
- ------------
NGSSoftware Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0060.html

Oracle Security Advisory:
http://otn.oracle.com/deploy/security/pdf/2002alert46rev1.pdf

ISS Security Advisory:
http://www.iss.net/security_center/static/10524.php

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6085

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

One council site was still awaiting results of queries on possible
limited internal deployments. If any are found, they plan to
ensure the appropriate patches are rolled out in a timely manner.

**********************************************************

(3) MODERATE: NetScreen SSH Denial of Service Vulnerability

Affected Products:
NetScreen appliances. NetScreen-25 tested and found vulnerable.
All models are expected to be vulnerable

Description:
A remote attacker who executes any of the SSH1 CRC32 Compensation
Attack Detector vulnerability exploit codes (in wide circulation)
against a NetScreen SSH server can cause the device to reset.
The problem is not believed to be due to the old CRC32 bug -- it
appears that the available exploit codes are coincidentally triggering
a different vulnerability.

Risk: Remote attack.
Remote attackers can cause a NetScreen device to reset using publicly
available exploit codes. The device requires a hard reboot to recover.

Deployment: Moderate.
NetScreen security devices are installed at many companies and in
many enterprise environments. However, the NetScreen SSH server not
enabled by default and, even when enabled, is typically only available
on the device's trusted management interface.

Ease of Exploitation: Trivial.
Exploit codes that trigger the bug are widely available.

Status: The advisory indicates vendor confirmation but a patch has
not yet been released. As a workaround, administrators are advised
to disable the SSH service.

References:
- -------------
VulnWatch Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0053.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0054.html

SecuriTeam Security Advisory:
http://www.securiteam.com/securitynews/6W0050U60O.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

***************************
     Other Software
***************************

(4) LOW: Log2Mail Log Message Handling Buffer Overflow

Affected Products:
log2mail 0.2.5.0 and possibly earlier versions

Description:
Log2mail is a utility that watches log files for lines containing
specific patterns and sends email when a match is found. The
log2mail daemon contains a buffer overflow that can be triggered by a
maliciously crafted log message. If a remote attacker can dictate the
content of log entries written to a target system, he/she can exploit
the vulnerability to execute arbitrary code with root privileges.

Risk: Remote root compromise.

Deployment: Small.
The vulnerable software is included with the official Debian
distributions, starting with Debian 3.0. The daemon is not enabled
by default.

Ease of Exploitation: Unknown.
The advisory provides few technical details, but the log2mail source
code is freely available and the vulnerability is said to be due to
a static buffer overrun.

Status: Vendor confirmed, updated software available.

References:
- -------------
Debian Security Advisory:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0474.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6089

Log2Mail Home Page:
http://people.debian.org/~enrico/log2mail/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

**************************************************************

(5) LOW: Pablo FTP Server Format String Vulnerabilities

Affected Products:
Pablo FTP Server version 1.5 and prior

Description:
Pablo FTP Server for Windows contains format string vulnerabilities
in the handling of various FTP commands, including the user logins.
This could allow a remote unauthenticated attacker to crash the server
or execute arbitrary code with the privileges of the server process.

Risk: Remote exploit.
Remote FTP server crash or arbitrary attacker-supplied code execution.

Deployment: Small.
Pablo is a freeware FTP server for Windows.

Ease of Exploitation: DoS -- trivial. Code execution -- unknown.
The advisory contained an example of how to crash the server remotely
by supplying a particular username during the login process.

Status: Vendor confirmed, updated software available.
   
References:
- -----------------
VulnWatch Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0057.html

Pablo FTP Server Home Page:
http://www.pablovandermeer.nl/ftp_server.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6099

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.
***************************************************************

About the CVA Process and Council
=================================
The CVA is produced in four phases:

Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor web
sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of
all new vulnerabilities and major vulnerability announcements made
during the week. The SANS Institute and Network Computing Magazine vet
the list through the major system manufacturers and jointly publish
it every week as the Security Alert Consensus. (SAC) Anyone may
subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

CRITICAL: Vulnerabilities are rated CRITICAL if the impact of
exploiting the vulnerability can disrupt critical or large segments of
a network (e.g. Internet facing services) or if the impact involves
a remote exploit that provides root access to the host. Typically,
for CRITICAL vulnerabilities, the vulnerability is easy or trivial to
exploit and/or exploit code is available. Critical vulnerabilities
usually involve server systems and/or high-value assets. Remediation
for alerts of this nature should begin within 48 hours, and in some
cases, immediately depending on the widespread use of the technology
within your organization.

HIGH: Vulnerabilities are rated HIGH if the impact of exploiting the
vulnerability is not as severe as CRITICAL alerts and the affected
software/platforms are generally not critical services within the
organization. A HIGH vulnerability may be something that effects
the client side (user hosts) and not a services such as Mail, DNS,
Web ,etc. Typically, there is a higher degree of difficulty in
exploiting HIGH vulnerabilities. Exploit code may not be available
or the attacker must entice the victim (e.g. visit a server or run an
attachment) to exploit the code. Remediation for alerts of this nature
should begin within five business days. If there is widespread use of
the technology at your organization or critical hosts are involved,
the remediation effort should begin sooner.

MODERATE: Vulnerabilities are rated MODERATE if the probable impact
of exploiting the vulnerability is considered low due to the limited
severity of the vulnerability, or there is a very high degree of
difficulty in exploiting the vulnerability, and an exploit is not
available in the wild. Moderate vulnerabilities may require the
attacker to have some type of user privileges or entice the victim in
order to exploit the problem. Remediation for alerts of this nature
should begin within 15 business days. If there is widespread use of
this technology at your organization or you run the affected software
on critical hosts, the remediation efforts should begin sooner.

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers of
organizations with at least 1000 systems, to GIAC certified security
professionals, and to recent alumni of SANS courses. Eligible
recipients may register all other technical and managerial security
staff in their organizations, or may forward it to any such persons
in their organizations, but not to people outside their organizations.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email

Copyright 2002. No copying or forwarding allowed except by registered
subscribers.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9z681+LUG5KFpTkYRAlwaAKCY1ca3e/cSvtlnFGa/YYpGFpObPwCfS5Eu
ON5vhFwWGkWSrnbK8RHMu5Y=
=UuPS
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]